Stanford CIS

Guest Post: The NSA’s Culture of “Legal Compliance” Still Breaks the Law

By Christopher Sprigman on

Cross-posted from Just Security.

Lately the NSA has been on a public relations offensive that has two principal aims. First, the agency is trying to convince the public that a lot of the NSA’s bad press is based on misunderstandings and factual errors regarding what the agency’s actual activities are. The agency isn’t completely wrong here, but given what we know to be true about NSA mass surveillance and the at best tenuous legal basis for much of what the agency is doing, the NSA’s complaints about inaccuracy are pretty weak stuff. With anything as complicated and secretive as the NSA’s mass surveillance programs, some of the press reporting and public debate will be off base – at least at first, until additional reporting has filled in some of the gaps and righted the inaccuracies. And the bulk of the reporting has been accurate right from the start – even though the agency has generally been unhelpful in sorting out the truth.

But I’ll leave that for another time, because it’s the second piece of the public relations offensive that interests me most. The NSA has sent out two of its top lawyers – General Counsel Rajesh De and Director of Compliance John DeLong – to make the pitch that the agency, far from being the out-of-control surveillance machine that some in the press are making it out to be, is actually an intensely-regulated, closely-watched, and law-abiding good citizen. In particular, De and DeLong pushed this picture of the agency in separate interviews with Lawfare’s Ben Wittes and Robert Chesney. And De gave a speech at Georgetown University Law School that made many of the same points.

There are a lot of interesting things in those interviews, which I’d urge you all to listen to and judge for yourselves. (Here’s the DeLong interview; and here’s the De interview.) But in advance of that, I’ll give you my take: After listening to both interviews and thinking about DeLong’s and De’s statements at some length, I’m not reassured at all. In fact, I’m increasingly concerned that the culture of lawyering at the NSA, far from assuring the agency’s lawfulness, actually aids and abets the essential lawlessness of the mass surveillance programs. As I’m about to describe, there is a danger here that the role of the NSA’s lawyers – and this goes for both De and DeLong – creates the appearance but not the reality of lawfulness, and, in the end, does not vindicate the law, but subverts it.

What do I mean by this? If you listen to the De and DeLong interviews, you’ll notice two things. First, De and DeLong suggest that they and the agency’s other lawyers have very little – if any – input into the Administration’s interpretation of the agency’s legal authority. Nowhere in his interview does either lawyer suggest that he has any independent view of the agency’s legal authority to conduct mass surveillance. DeLong states pretty clearly that questioning the legal interpretation is not within his job description. And De emphasizes repeatedly that he relies on the expansive interpretation of the NSA’s authority that he says has been approved by Congress, and the courts, and the Administration. He gives no indication that he has his own view on the scope of the agency’s authority. Or that he has engaged with the arguments – which are, in my view, conclusive – that the agency is overrunning that authority.

Let me start with De. Respectfully, if the NSA’s chief lawyer is trying to push back against the increasingly widely held view that the NSA is essentially lawless, he’s got to do better than this. De is the NSA general counsel. He’s the person at the NSA directly responsible for ensuring that the agency operates within the law. He can’t contract that job out to Congress, or the court, or the Administration, because it’s NSA employees who have to carry out the Administration’s mass spying policies, and De is the person at the agency responsible to make sure that these particular employees are provided with the appropriate legal authority to do what they are being asked to do. And it’s especially important here that De have an active role, for at least two reasons. First, the asserted statutory authority for the NSA’s mass surveillance programs is shockingly weak. And second, there is in reality very little oversight by Congress, the courts, or the Administration.

The broader point is this: If NSA lawyers De and DeLong really want to argue that the agency is operating within the law, they have got to do their own work to defend a broad interpretation of the agency’s authority. In my view, that task is hopeless. But if De and DeLong want to convince us there’s reason to disagree, they are going to have to explicitly tell us why.

Consider first the asserted authority for the NSA’s telephony metadata program. The law under which the government collected this data, section 215 of the Patriot Act, allows the F.B.I. to obtain court orders demanding that a person or company produce “tangible things,” upon showing reasonable grounds that the things sought are “relevant” to an authorized foreign intelligence investigation.

The government claims that under section 215 it may seize all of our phone call information now because the government has a continuing interest in preventing terrorism, and the data it seizes today might conceivably be “relevant” to an investigation at some later date, even if there is no particular reason to believe that any but an infinitesimal fraction of the unprecedentedly massive pile of data collected might possibly be suspicious or even relevant — ever.

That is a shockingly flimsy argument. For centuries, Anglo-American law has understood that to be “relevant,” evidence must be somehow related to a particular existing investigation or dispute. If evidence is “relevant” just because it could hypothetically relate to some future investigation that we don’t know about yet, it makes a mockery of the meaning of relevance—any evidence might be “relevant” to an investigation eventually, if by “eventually” you mean “sometime before the end of time.” In short, the government’s interpretation of its own authority to collect telephony metadata under section 215 isn’t just wrong. It’s farcical.

The government’s justification for the “PRISM” program, under which the NSA collects vast amounts of e-mails and other messages—including communications to, from and between Americans—is scarcely better. The government justifies PRISM under the FISA Amendments Act of 2008. Section 1881a of that act gives the President broad authority to conduct warrantless electronic surveillance. And yet the PRISM program appears to outstrip that authority. In particular, the law makes clear that the government “may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.”

The government knows that it regularly obtains Americans’ protected communications. The Washington Post reported that PRISM is designed to produce at least 51 percent confidence in a target’s “foreignness” — as John Oliver of “The Daily Show” put it, “a coin flip plus 1 percent.” By turning a blind eye to the fact that 49-plus percent of the communications might contain communications that are purely among Americans, the NSA has intentionally acquired information it is not allowed to have, even under the terrifyingly broad auspices of the FISA Amendments Act. My friend and co-author Jennifer Granick detailed how this happens in a recent post on this blog.

What’s happening is that, when conducting upstream collection, NSA’s systems don’t always pull single messages; rather, they regularly capture what the agency, with characteristic opacity, refers to as “Internet transactions.” An “Internet transaction” may be comprised of a single message – an “SCT”, in NSA-speak. According to Judge Bates of the FISA court, approximately 46,000 SCTs collected every year are purely domestic communications between Americans, collected from international switches because they are about matters of foreign intelligence interest. Further, Internet transactions often contain multiple messages – the agency refers to this bundle of messages as an “MCT.” If only one message in an MCT is responsive to the NSA’s targeting terms, the NSA devices nonetheless pull the entire package of messages into the NSA databases. MCTs can contain messages that have nothing to do with foreigners or foreign intelligence. In total, NSA’s internal auditing, done, as Granick put it, “at Judge Bates’ version of gunpoint,” put the number of improperly collected wholly domestic American messages at approximately 56,000 in 2011.

The NSA’s figure is very likely to be an undercount, and perhaps a gross undercount, because it assumes that each MCT contains only one improperly collected communication. Further, the figure only attempts to include domestic messages captured under this particular legal authority, and not under Executive Order 12333 or other rationales. But in any event, 56,000 prohibited communications in a year is bad enough. How could vacuuming up so many prohibited “pure-U.S.” communications conform with the legal limitations found in the FISA Amendments Act? Well, as James R. Clapper Jr., the Director of National Intelligence, told Andrea Mitchell of NBC, the N.S.A. uses the word “acquire” only when it pulls information out of its gigantic database of communications and not when it first intercepts and stores the information.

So according to the man President Obama put in charge of our nation’s intelligence services, tapping Internet communications, diverting them to NSA computers, and storing them on NSA hard drives is not “acquiring” them. Here’s an analogy: You carjack a truck full of merchandise. And the police pull you over after you’ve driven only a few blocks. It’s clear you’ve stolen the truck. But have you stolen the merchandise? No, you say, because you haven’t yet looked in the back of the truck. Until you look, you say, you haven’t stolen anything.

That’s not going to work. And DNI Clapper’s interpretation of when the NSA “acquires” the communications it intercepts and records isn’t any better. Again, the Administration’s account of what the NSA is permitted to do under the FISA Amendments Act isn’t just bad statutory interpretation. It has become the subject of ridicule.

Back to Rajesh De, NSA General Counsel. He is the man charged with ensuring the NSA operates according to law. So how can he ethically rely on interpretations of the agency’s spying authority that are so obviously problematic? As previously mentioned, De’s principal argument is that the Administration, Congress, and the courts have all blessed a wide interpretation of NSA spying authority, and so who is he to disagree? But that argument doesn’t hold up.

Let’s first consider the Administration’s supposed blessing of NSA programs. The Administration defended its interpretation of the meaning of “relevant” in section 215 in a white paper released in August 2013. That defense is, at best, unsuccessful. The Administration cites a number of cases that make clear that law enforcement may access records relevant to a particular investigation, and, indeed, may access the files of particular businesses, or entire computer hard drives, to find a subset of documents relevant to a particular investigation. Those cases broadly make sense, because they involve a targeted firm or individual very likely to have evidence relevant to a specific, existing investigation. But that’s nothing like what’s involved in the NSA’s mass spying programs. The Administration cites no case standing for anything like the proposition that it’s trying to prop up — that government can access the telephone records of millions of Americans suspected of no wrongdoing because some infinitesimal subset of those records may conceivably be of value to the government’s continuing efforts to prevent terrorism. There is no such case the government could cite, because the principal of relevance, as we’ve always understood it, is directly inimical to the government’s entire project of suspicionless mass surveillance. The arguments on the meaning of “relevant” in the Administration’s white paper are shoddy, utterly result-oriented, and legal fiction.

If Administration lawyers have defended DNI Clapper’s interpretation of the meaning of “acquire” in section 1881a of the FISA Amendments Act, I haven’t seen it. And I don’t recommend they start now. We all know what it means to “acquire” something. It ain’t what Clapper says.

What about Congress? Haven’t they approved the Administration’s interpretation of the NSA’s authority? Hardly. As Marcy Wheeler has noted, the NSA has hidden from Congress the full extent of its spying on Americans. But frankly even if the NSA had been more forthcoming, key members of Congress, such as Senate Intelligence Committee Chair Dianne Feinstein and ranking member Mike Rogers, seem interested mostly in ensuring that the NSA continue its mass surveillance programs regardless of whether they are lawful or not. In any event, the law isn’t what any particular member of Congress thinks it is. The text of section 215 of the Patriot Act and section 1881a of the FISA Amendments Act is the law, and that text simply does not authorize what the NSA is doing in its telephone metadata and FISA Amendments Act mass spying programs. Nothing Congress has done changes that. Actually, even that last sentence overstates the degree to which De can rely on Congress. Because Congress hasn’t actually done anything. Rather, Congress has failed to act. And to construe Congress’s inaction as acquiescence in an Administration interpretation of its authority that is so palpably at odds with what the law actually provides is leaning far too heavily on the most slender imaginable reed.

Finally, what about the courts? Judge Richard Leon of the Federal District Court for the District of Columbia recently held that section 215 collection violated the Fourth Amendment. He did not, however, reach the section 215 relevance issue.

On the other hand, Judge William Pauley of the Southern District of New York recently upheld the Administration’s broad interpretation of its authority under section 215. But again, the opinion is utterly results-oriented, unsupported by precedent, and unconvincing. The gist of the Pauley opinion is that the Administration’s interpretation is correct because the government’s mass spying programs are necessary to national security, and that Congress must have legislated with that understanding. Judge Pauley must be unaware of the statements by Representative F. James Sensenbrenner Jr., a Wisconsin Republican, one of the architects of the Patriot Act, and a man not known as a civil libertarian. In the wake of the Snowden revelations and the ensuing uproar about the NSA’s mass spying programs, Sensenbrenner said that “Congress intended to allow the intelligence communities to access targeted information for specific investigations.” But the NSA’s demand for information about every American’s phone calls isn’t “targeted” at all — it’s a dragnet. “How can every call that every American makes or receives be relevant to a specific investigation?” Mr. Sensenbrenner asked. The answer is simple: It’s not. And nothing Judge Pauley says can make it so.

I could go on, for example about how the judgment of the Potemkin FISA Court isn’t viable, but Julian Sanchez has already dealt very capably with that in a recent post on this blog. And in any event I want to finish my point about Rajesh De and then move on to John De Long. The upshot is this: If Rajesh De wants to defend the lawfulness of NSA’s mass surveillance programs, he’s going to have to give us his own arguments for why those programs meet the standards of sections 215 of the Patriot Act and 1881a of the FISA Amendments Act. And he’s going to have to do better — much better — than other parts of the Administration, the Congress, and the courts have done thus far. If he doesn’t, then he’s not discharging his responsibility as the NSA’s chief legal officer to ensure that the agency is operating within the law. The NSA’s General Counsel cannot rely wholly on others’ interpretations of the agency’s authority – especially when those interpretations are as flimsy as they, at present, are.

Now on to NSA Director of Compliance John DeLong. Unlike De, who fudges on this question, DeLong states clearly that it’s not his job to assess whether the Administration’s interpretation of the agency’s legal authority to conduct mass spying is correct. DeLong insists that his responsibility as the agency’s chief compliance lawyer is limited to making sure that whatever that interpretation is, the agency complies with it. DeLong uses the metaphor of the recipe versus the cooking. His job, DeLong says in his interview, is not to determine the recipe. It’s to make sure that the people in the kitchen follow the recipe. Translated into what DeLong actually does for a living, that means that DeLong is indifferent to whether the Administration’s understanding of the scope of the NSA’s legal authority to conduct mass surveillance is correct or even plausible. DeLong’s job is simply to make sure that, whatever that interpretation of the agency’s authority is, the agency adheres to it.

The obvious problem with the metaphor is that if the recipe is poison, then DeLong’s metaphorical job is to make sure the kitchen staff faithfully prepares poisonous food for all of us to eat. Or, again focusing on DeLong’s actual understanding of his job, if the Administration’s legal interpretation is not in fact lawful, then DeLong’s compliance efforts aren’t providing lawfulness but the negation of it. Is that really what the NSA’s chief compliance lawyer is supposed to be doing? Without assuring himself — pursuant to his own understanding of what the law permits and forbids — that the NSA’s mass spying programs are in fact authorized?

These are important questions, because DeLong isn’t just talking about his job — he’s trying to convince us that he’s part of a culture at the NSA that values the law and respects it. And DeLong’s role in this, by his own account, is to obsessively micro-manage NSA personnel and processes to make sure that they behave. At which point, DeLong’s interviewer, Ben Wittes, asks precisely the sort of question that DeLong’s account is intended to elicit. Wittes: “I’m interested in a cultural question. Having built . . . a microcosm of NSA devoted to the most neurotically detailed compliance, it must be very odd for you to see the way the agency is described . . . as lawless . . .”

The answer to this is that compliance is not the same thing as lawfulness. If the rule with which DeLong is complying is itself unlawful, the compliance is merely the appearance of lawfulness without its substance. And the role of the lawyers – and this goes for both De and DeLong – does not vindicate the law, but subverts it.

Published in: Publication , Other Writing , Privacy , NSA